Archive

Basically the idea is to get the code and cross-compile it using the Android NDK (Native Develpment Toolkit) toolset on Ubuntu, then getting the binary and transferring it onto your device and running it with the right permissions.

Update [2017-01-16]:I’m not sure whether this will work for Android on both x86 and ARM architectures. I tested it on an ARM architecture (physical device), and it worked. I’m yet to test it on an x86 architecture. Will update after testing. (My feeling is that it should). I forgot that there are multiple folders in the /libs directory that are created. One for each of the architectures. Pick the right executable from the right folder for your architecture, and it should work.

Update [2017-01-18]: I tested this entire thing on an Android 7.1.1 (Nougat) emulator, and eventually got it working. It seems that from Android 5.0 you will probably get an error like “error: only position independent executables (PIE) are supported“. From what i’ve read here this is is due to a security feature implemented from Android 5.0 onwards. The Android.mk file has to be modified a bit (i’ve added the modifications needed) to enable PIE for any executables from Android 5.0 onwards. (Truth is it seems the PIE feature is available from 4.1, but it is disabled, and from 5.0 it is enabled by default)

Create a directory in an appropriate location of your choice. I created one called memdump on my Desktop. Then create a directory with the name jni in that directory (this is important for using ndk-build later).

cd ~/Desktop
mkdir memdump
cd memdump
mkdir jni
cd jni

Create a file in the jni directory and copy-paste the code from the link provided above into the file. Name the file memdump.c. I’ve put the code here below also, just for completeness:

Click Apply or OK. A dialog should appear where you accept the license conditions and then the requisite tools should begin installing.

(For our case here, we will use only ndk-build since it was what worked. Ideally, you could use CMake … and actually the latest Android documentation suggests using CMake henceforth since i think they plan to retire / deprecate ndk-build eventually … All the same, i think the Android.mk file I found on StackExchange was written for ndk-build so that’s what we’ll use. Also i’m not yet sure how to use CMake for this task. If i figure it out i’ll write another blog post.) Also you could use Android Studio directly for this entire task of building/compiling the C code to get an Android/ ARM executable, but i don’t know how to configure it correctly yet.

Once you have the NDK installed, navigate to the ~/Desktop/memdump directory and while there execute ndk-build , which you can find under /home/Android/Sdk/ndk-bundle/

cd ~/Desktop/memdump
/home/Android/Sdk/ndk-bundle/ndk-build

If you happen to be on a Windows machine, you can get ndk_build.cmd to do the job for you. Navigate to the folder where you have memdump and you can run:
e.g:

At this point the code should build and compile creating a /libs directory an an /obj directory. Navigate into the libs directory and you will see directories for various architectures. Under each directory there is an executable for that specific architecture. We’re mainly concerned at this moment with the one under armeabi

Installing the Memdump executable on an Android device:

In order to use the Memdump executable, we need to get it onto an Android device in a place that allows execution, give the executable execute permissions and run it.

NB: We assume that the Android device is rooted properly and that the specific Superuser management app allows root access from the adb shell. (I haven’t tested it on an unrooted device, but i still suspect that the device needs to be rooted first)

Navigate to the directory containing the adb executable. Get into the adb shell and navigate to the /data/local/tmp (since execution of binaries is allowed there). We want to put the memdump executable in a directory in here. Create a directory here called mem_dump_tools (or whatever you’d like to call it). This is where we will put the memdump executable

NB: Make sure you don’t forget the “>” to direct the output of stdout to a file (or elsewhere)

Hack: (For those interested in Forensics & Reversing). If you get the Position Independent Executables (PIE) error here because you missed the lines LOCAL_CFLAGS += -fPIE and LOCAL_LDFLAGS += -fPIE -pie in the Android.mkfile, there is an interesting hack (credit to Koorosh Ghorbani ) that i found on Stackoverflow. You can open the executable with your favourite Hex Editor and you just have to change the 17th byte from 02 to 03 and the executable should now work without the PIE error.

We want to dump the process memory of a an application E.g. Chrome, Facebook, Whatsapp …etc. into a directory on the SDCard. Let’s use Chrome for now

Let’s first create a directory where the dumps should go.

./adb shell
su root
cd /storage/extSdcard
mkdir MEM_DUMPS

Now let’s get the process id of the process that we want to target

ps | grep chrome

Pick the pid from this. You should get 3 processes (one with sandbox , another with privileged affixed and another just plain com.android.chrome … pick this last one with nothing affixed to the name)

Then run memdump as follows:

./memdump <pid> > /storage/extSdcard/MEM_DUMPS/<mem_dump_file_name>

E.g.: ./memdump 1234 > /storage/extSdcard/MEM_DUMPS/chrome.dmp

The dumping process should now begin (there’s no real progress report, just the cursor blinking, or hanging), but it should take some seconds to minutes depending on your phone’s processing capabilities (for Chrome i got an 800MB dump file so give it some time and it tool like 2min, or try some less memory intensive app that might result in a smaller process memory dump file)